There are many guides on web about how to run a v2 Docker Registry, including the offical documentation. However, I couldn't get a secure, password protected registry to start up after reading offical documentation. Other guides recommend using nginx as a proxy to implment basic authentication, but the offical documention discourges this.
This post will walk you through the steps necessary to set up a secure Docker Registry 2.0 with basic authentication without a proxy server.
Step 1: Read the Documentation
Read the offical documentation on deploying a v2 Docker Registry. You can skip to the end for a working example, but it's best to really understand what's going on here.
Step 2: Buy an SSL Certificate (really)
You should run your registry using a valid SSL certificate. I purchased a certificate, valid for 3 years, from SSLs.com for $14 USD last night. At less than $5 a year, it's a no brainer to do things right, even if it's just an expirament.
If you're using a CentOS/RedHat based distibution, the best place to put your private key and certificate chain is
Step 3: Install Docker Compose
Install Docker Compose. We're going to use it to define our registry setup in a declaritive fashion. If you're attempting this on Windows, don't. Docker Compose doesn't work. Quit now or install Linux in a VM and keep reading.
Step 4: Create your htpasswd file
registry:2 Docker image to create a Bcrypt encoded password for each user you want to have access to your private repository.
# mkdir -p /var/lib/docker-registry/auth/ # docker run --rm --entrypoint htpasswd registry:2 -Bbn username password >> /var/lib/docker-registry/auth/htpasswd
Step 5: Create a custom Registry Configuraion
Although, the documentation says you can pass environment variables, such as
REGISTRY_AUTH_HTPASSWD_PATH to require basic authentication to your realm, it doesn't work. You'll have to create a custom registry
config.yml to support this.
Here's a complete, working
version: 0.1 log: level: info fields: service: registry storage: cache: layerinfo: inmemory filesystem: rootdirectory: /var/lib/registry auth: htpasswd: realm: basic-realm path: /auth/htpasswd http: addr: :5000
Step 5: Create Your Docker Compose File
Before defining your registry as a
docker-compose.yml file. You should create on your host:
/var/lib/docker-registry/confto hold your registry configuration
/var/lib/docker-registry/datato hold persistent registry data
/etc/pki/tls/certs/docker-registrycontaining your SSL certificate and any intermediate certificates
/var/lib/docker-registry/authto hold your
Create your volumes that we'll map into the Docker container:
# mkdir -p /var/lib/docker-registry/auth # mkdir -p /var/lib/docker-registry/conf # mkdir -p /var/lib/docker-registry/data
/var/lib/docker-registry/auth> put your
/var/lib/docker-registry/conf> put your
/var/lib/docker-registry/data> directory for registry data
Create a docker-compose file containing the following:
registry: restart: always image: registry:2 ports: - 5000:5000 environment: REGISTRY_HTTP_TLS_CERTIFICATE: /certs/domain.crt REGISTRY_HTTP_TLS_KEY: /certs/domain.key REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry volumes: - /var/lib/docker-registry/conf:/etc/docker/registry - /var/lib/docker-registry/data:/var/lib/registry - /etc/pki/tls/certs/docker-registry:/certs:ro - /var/lib/docker-registry/auth:/auth:ro
Start Your Registry
# docker-compose up -d